Make WordPress Core

Opened 10 years ago

Closed 9 years ago

Last modified 6 years ago

#2660 closed defect (bug) (wontfix)

WordPress admin creates invalid ( netscape ) dbx-postmeta cookies on OSX + Safari, can cause apache segfault

Reported by: jvanasco Owned by:
Milestone: Priority: normal
Severity: major Version: 2.1
Component: General Keywords: cookie corrupt
Focuses: Cc:


I came across this issue a while back, i thought it would be resolved as it was in the forums - but it wasn't, and theres no ticket either open or closed addressing it, so here are my notes:

I wrote a web services module to incorporate the TrackBack protocol into my mod_perl application

I started testing it using WordPress - the php blog software

It seems to have set a cookie (see details below) , that causes an automatic error in libapreq (accessed via the perl bindings), which can segfault apache ( libapreq isn't just used in perl, its the general Apache API for parsing cookies )

The error in the logs is :"Expected token not present"

The issue seems to be definitively caused by an issue in the way that wordpress encodes the cookie and safari sends it


From the headers_in , it seems that WordPress includes raw-php code (instead of executing it), and either wordpress or safari doesn't escape the , in the cookies.

re netscape cookie draft:
( common standard - http://wp.netscape.com/newsref/std/cookie_spec.html )
This string is a sequence of characters excluding semi-colon, comma and white space. If there is a need to place such data in the name or value, some encoding method such as URL style %XX encoding is recommended, though no encoding is defined or required.
This is the only required attribute on the Set-Cookie header."

The RFCs regarding cookies don't have the restriction , but do use , and ; as a delimiter -- and most libraries code to the netscape standard.

The fix would be to just encode/escape the , on reading/writing cookies.

In production I see little opportunities this will affect me or any other user -- its not often that people use multiple languages & projects on the same domain.

the segfault, natually, occurs whether or not the code is wrapped in an eval block. an eval block didn't seem to catch the other error either (sorry, but i can't discern what it is)

I've enclosed a Data::Dumper representation of the the APR::Table headers_in atfer the cookie info. I'll be happy to pull it into any other format if needed

To recreate this, you can use:

  • wordpress 2.0 -> 2.1
  • mac osx 10.4.(5,6) + safari 2.0.3
  • libapreq 2.07
  • httpd 2.055

  • Created
    • 193189633
  • Domain
    • g5.local
  • Expires
    • 2007-02-14T23:47:13Z
  • Name
    • dbx-postmeta
  • Path
    • /
  • Value
    • grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-

$headers_in = bless( {

'Accept' => '*/*',
'Accept-Language' => 'en',
'Accept-Encoding' => 'gzip, deflate',
'Cookie' => 'wordpressuser_c580712eb86cad2660b3601ac04202b2=admin; wordpresspass_c580712eb86cad2660b3601ac04202b2=7ebeeed42ef50720940f5b8db2f9db49; rs_session=59ae9b8b503e3af7d17b97e7f77f7ea5; dbx-postmeta=grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-',
'User-Agent' => 'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8',
'Connection' => 'keep-alive',
'Host' => 'g5.local:8082'
}, 'APR::Table' );

Change History (2)

#1 @rob1n
9 years ago

Can anyone reproduce this?

#2 @Nazgul
9 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

No traction in over a year, so closing as wontfix.

Feel free to reopen if you have patches/suggestions/...

Note: See TracTickets for help on using tickets.